Cybercrooks have set up a web store that offers rented access to compromised machines on the TDSS/TDL-4 botnet.
The latest version of the TDSS botnet agent bundles a component that turns compromised machines into a proxy connected to awmproxy.net.
AWMproxy - which purportedly accepts payment via PayPal, MasterCard, and Visa - …

Following

The main problem would be the time between any siphoning and it's reporting. Most people only get a statement once a month and the perps can run a scrape for 24 hours then take the money and run. Once they have it as cash they could setup and re-run.

It's the usual problem where the black-hats have to act before the white hats can react and with electronic money you don't need much of a head start.

So why not rent the botnet to identify its members?

Set up a particular IP address for logging connections, rent the botnet, browse to that IP, identify botnet zombies, and either cut them off or clean them up. Even if the ISPs won't play ball, the big email services could simply reject all connections from those IPs.

legalities

Theres legal issues with "cleaning" peoples machines , like what if you break it and its doing vital life dependant work? and blocking the IPs - well they do change from time to time , so you'd also be blocking innocent people with no malware.